Update the Gentoo importer to correctly handle affected_version_range and fixed_version_range for non-revision versions

Signed-off-by: ziad hany <ziadhany2016@gmail.com>

Author: ziadhany

vulnerabilities/pipelines/v2_importers/gentoo_importer.py

@@ -9,6 +9,7 @@
 
 import re
 import xml.etree.ElementTree as ET
+from collections import defaultdict
 from pathlib import Path
 from typing import Iterable
 
@@ -81,20 +82,23 @@ def process_file(self, file):
 
             if child.tag == "affected":
                 affected_packages = []
-                seen_packages = set()
-
-                for purl, constraint in get_affected_and_safe_purls(child, logger=self.log):
-                    signature = (purl.to_string(), str(constraint))
-
-                    if signature not in seen_packages:
-                        seen_packages.add(signature)
-
-                        affected_package = AffectedPackageV2(
-                            package=purl,
-                            affected_version_range=EbuildVersionRange(constraints=[constraint]),
-                            fixed_version_range=None,
-                        )
-                        affected_packages.append(affected_package)
+                for purl, (affected_ranges, fixed_ranges) in get_affected_and_fixed_purls(
+                    child, logger=self.log
+                ):
+                    affected_version_constraint = build_constraints(
+                        affected_ranges, logger=self.log
+                    )
+                    fixed_version_constraint = build_constraints(fixed_ranges, logger=self.log)
+                    affected_version_range = EbuildVersionRange(
+                        constraints=affected_version_constraint
+                    )
+                    fixed_version_range = EbuildVersionRange(constraints=fixed_version_constraint)
+                    affected_package = AffectedPackageV2(
+                        package=purl,
+                        affected_version_range=affected_version_range,
+                        fixed_version_range=fixed_version_range,
+                    )
+                    affected_packages.append(affected_package)
 
             if child.tag == "impact":
                 severity_value = child.attrib.get("type")
@@ -131,61 +135,67 @@ def cves_from_reference(reference):
         return cves
 
 
-def extract_purls_and_constraints(pkg_name, pkg_ns, constraints, invert, logger):
-    for comparator, version, slot_value in constraints:
-        qualifiers = {"slot": slot_value} if slot_value else {}
-        purl = PackageURL(type="ebuild", name=pkg_name, namespace=pkg_ns, qualifiers=qualifiers)
-
+def build_constraints(constraint_pairs, logger):
+    """
+    Build a list of VersionConstraint objects from comparators, versions pairs.
+    """
+    constraints = []
+    for comparator, version in constraint_pairs:
         try:
             constraint = VersionConstraint(version=GentooVersion(version), comparator=comparator)
-
-            if invert:
-                constraint = constraint.invert()
-
-            yield purl, constraint
+            constraints.append(constraint)
         except InvalidVersion as e:
             logger(f"InvalidVersion constraints version: {version} error:{e}")
+    return constraints
+
 
+def get_affected_and_fixed_purls(affected_elem, logger):
+    """
+    Parses XML elements to extract PURLs associated with affected and fixed versions.
+    """
 
-def get_affected_and_safe_purls(affected_elem, logger):
     for pkg in affected_elem:
         name = pkg.attrib.get("name")
         if not name:
             continue
-        pkg_ns, _, pkg_name = name.rpartition("/")
-
-        safe_constraints, affected_constraints = get_safe_and_affected_constraints(pkg)
 
-        yield from extract_purls_and_constraints(
-            pkg_name, pkg_ns, affected_constraints, invert=False, logger=logger
-        )
-        yield from extract_purls_and_constraints(
-            pkg_name, pkg_ns, safe_constraints, invert=True, logger=logger
-        )
-
-
-def get_safe_and_affected_constraints(pkg):
-    safe_versions = set()
-    affected_versions = set()
-    for info in pkg:
-        # All possible values of info.attrib['range'] =
-        # {'gt', 'lt', 'rle', 'rge', 'rgt', 'le', 'ge', 'eq'}
-        range_value = info.attrib.get("range")
-        slot_value = info.attrib.get("slot")
-        comparator_dict = {
-            "gt": ">",
-            "lt": "<",
-            "ge": ">=",
-            "le": "<=",
-            "eq": "=",
-            "rle": "<=",
-            "rge": ">=",
-            "rgt": ">",
-        }
-        comparator = comparator_dict.get(range_value)
-        if info.tag == "unaffected":
-            safe_versions.add((comparator, info.text, slot_value))
-
-        elif info.tag == "vulnerable":
-            affected_versions.add((comparator, info.text, slot_value))
-    return safe_versions, affected_versions
+        pkg_ns, _, pkg_name = name.rpartition("/")
+        # purl_components, (fixed_ranges_set, affected_ranges_set)
+        purl_ranges_map = defaultdict(lambda: {"fixed_ranges": set(), "affected_ranges": set()})
+
+        for info in pkg:
+            # All possible values of info.attrib['range'] =
+            # {'gt', 'lt', 'rle', 'rge', 'rgt', 'le', 'ge', 'eq'}
+            # rge means revision greater than equals and rgt means revision greater than
+
+            range_value = info.attrib.get("range")
+            slot_value = info.attrib.get("slot")
+            comparator_dict = {
+                "gt": ">",
+                "lt": "<",
+                "ge": ">=",
+                "le": "<=",
+                "eq": "=",
+                # "rle": "<=",
+                # "rge": ">=",
+                # "rgt": ">",
+            }
+            comparator = comparator_dict.get(range_value)
+            if not comparator:
+                logger(f"Unsupported range value {range_value}:{info.text}")
+                continue
+
+            if info.tag == "unaffected":
+                purl_ranges_map[(pkg_name, pkg_ns, slot_value)]["fixed_ranges"].add(
+                    (comparator, info.text)
+                )
+
+            elif info.tag == "vulnerable":
+                purl_ranges_map[(pkg_name, pkg_ns, slot_value)]["affected_ranges"].add(
+                    (comparator, info.text)
+                )
+
+        for (pkg_name, pkg_ns, slot_value), data in purl_ranges_map.items():
+            qualifiers = {"slot": slot_value} if slot_value else {}
+            purl = PackageURL(type="ebuild", name=pkg_name, namespace=pkg_ns, qualifiers=qualifiers)
+            yield purl, (data["affected_ranges"], data["fixed_ranges"])

vulnerabilities/tests/test_data/gentoo_v2/glsa-201709-09-expected.json

@@ -15,36 +15,8 @@
           "qualifiers": "",
           "subpath": ""
         },
-        "affected_version_range": "vers:ebuild/0.1.1",
-        "fixed_version_range": null,
-        "introduced_by_commit_patches": [],
-        "fixed_by_commit_patches": []
-      },
-      {
-        "package": {
-          "type": "ebuild",
-          "namespace": "dev-vcs",
-          "name": "subversion",
-          "version": "",
-          "qualifiers": "",
-          "subpath": ""
-        },
-        "affected_version_range": "vers:ebuild/<1.9.7",
-        "fixed_version_range": null,
-        "introduced_by_commit_patches": [],
-        "fixed_by_commit_patches": []
-      },
-      {
-        "package": {
-          "type": "ebuild",
-          "namespace": "dev-vcs",
-          "name": "subversion",
-          "version": "",
-          "qualifiers": "",
-          "subpath": ""
-        },
-        "affected_version_range": "vers:ebuild/<=1.8.18",
-        "fixed_version_range": null,
+        "affected_version_range": "vers:ebuild/0.1.1|<1.9.7",
+        "fixed_version_range": "vers:ebuild/>=1.9.7",
         "introduced_by_commit_patches": [],
         "fixed_by_commit_patches": []
       }

vulnerabilities/tests/test_data/gentoo_v2/glsa-202511-02-expected.json

@@ -40,7 +40,7 @@
           "subpath": ""
         },
         "affected_version_range": "vers:ebuild/<2.48.5",
-        "fixed_version_range": null,
+        "fixed_version_range": "vers:ebuild/>=2.48.5",
         "introduced_by_commit_patches": [],
         "fixed_by_commit_patches": []
       },
@@ -54,7 +54,7 @@
           "subpath": ""
         },
         "affected_version_range": "vers:ebuild/<2.48.5",
-        "fixed_version_range": null,
+        "fixed_version_range": "vers:ebuild/>=2.48.5",
         "introduced_by_commit_patches": [],
         "fixed_by_commit_patches": []
       }

vulnerabilities/tests/test_data/gentoo_v2/glsa-202512-01-expected.json

@@ -14,7 +14,7 @@
           "subpath": ""
         },
         "affected_version_range": "vers:ebuild/<2.5.14",
-        "fixed_version_range": null,
+        "fixed_version_range": "vers:ebuild/>=2.5.14",
         "introduced_by_commit_patches": [],
         "fixed_by_commit_patches": []
       }